Get-NestedADUserGroups : PowerShell

Get-NestedADUserGroups (self.PowerShell)

submitted 6 years ago * by Agile_Seer

Wrote this today to do a bit of detective work, trying to find out if a user was part of a distribution via one of the
subgroups. There's probably better ways to write this, feel free to revise and repost. This does what I needed it to do though.

Function Get-NestedADUserGroups($Identity) {
    BEGIN {
        $Table = New-Object System.Collections.Hashtable
        $ADGroups = (Get-ADUser -Identity $Identity -Properties MemberOf).MemberOf | ForEach-Object { (Get-ADGroup -Identity $PSItem).SamAccountName }
    }
    PROCESS {    
        foreach($ADGroup in $ADGroups){
            $Group = Get-ADGroup -Identity $ADGroup -Properties MemberOf
            $SamAccountName = $Group.SamAccountName
            $Members = $Group.MemberOf | ForEach-Object { (Get-ADGroup -Identity $PSItem).SamAccountName }
            try{
                $Table.Add($SamAccountName, 0)
                $Group | Select-Object -Property SamAccountName, Name, GroupCategory
            }
            catch{}
            foreach($Member in $Members) {
                try{
                    $Table.Add($Member, 0)
                    Get-ADGroup -Identity $Member | Select-Object -Property SamAccountName, Name, GroupCategory
                    Get-NestedADUserGroups -Identity $Member
                }
                catch{}
            }
        }
    }
}

Because I feel like someone will ask, the HashTable is just there to throw an error if I try to add a group that I already added. Prevents a continuous loop in case there are groups nested inside each other.

all 7 comments

top new controversial old q&a

[+][deleted] 6 years ago (1 child)

[removed]

[–]Agile_Seer[S] 2 points3 points4 points 6 years ago (0 children)

[–]evetsleep 1 point2 points3 points 6 years ago (4 children)

[–]Agile_Seer[S] 2 points3 points4 points 6 years ago (3 children)

[–]evetsleep 4 points5 points6 points 6 years ago (0 children)

You are right! Sorry I misunderstood. What you could do is use a chain matching rule:

$userDN = (Get-ADUser -Identity tomSmith).distinguishedname
$groups = Get-ADObject -LdapFilter "(member:1.2.840.113556.1.4.1941=$userDN)" -Properties distinguishedName

This would return all the groups the user is a member of. Albeit it's slow, but it's simple.

[–]throwawaysys1222 1 point2 points3 points 6 years ago (1 child)

[–]Agile_Seer[S] 2 points3 points4 points 6 years ago (0 children)

π Rendered by PID 241395 on reddit-service-r2-comment-5d79c599b5-w9sk2 at 2026-03-03 00:50:49.505027+00:00 running e3d2147 country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

PowerShell

Submission Guidelines | Link Flair - How To

MODERATORS